From ee91323f52f27d3fe6fad16463fa580be6bfd358 Mon Sep 17 00:00:00 2001
From: "Dr. Stephen Henson" <steve@openssl.org>
Date: Wed, 24 Mar 2010 23:16:35 +0000
Subject: [PATCH] PR: 1731 and maybe 2197

Clear error queue in a few places in SSL code where errors are expected
so they don't stay in the queue.
---
 ssl/d1_both.c  | 2 ++
 ssl/s3_both.c  | 2 ++
 ssl/ssl_cert.c | 2 ++
 3 files changed, 6 insertions(+)

diff --git a/ssl/d1_both.c b/ssl/d1_both.c
index 0a5c08d713..0781a4b670 100644
--- a/ssl/d1_both.c
+++ b/ssl/d1_both.c
@@ -888,6 +888,8 @@ unsigned long dtls1_output_cert_chain(SSL *s, X509 *x)
   			}
   
 		X509_verify_cert(&xs_ctx);
+		/* Don't leave errors in the queue */
+		ERR_clear_error();
 		for (i=0; i < sk_X509_num(xs_ctx.chain); i++)
   			{
 			x = sk_X509_value(xs_ctx.chain, i);
diff --git a/ssl/s3_both.c b/ssl/s3_both.c
index 7f462250c7..869a25d476 100644
--- a/ssl/s3_both.c
+++ b/ssl/s3_both.c
@@ -354,6 +354,8 @@ unsigned long ssl3_output_cert_chain(SSL *s, X509 *x)
 				return(0);
 				}
 			X509_verify_cert(&xs_ctx);
+			/* Don't leave errors in the queue */
+			ERR_clear_error();
 			for (i=0; i < sk_X509_num(xs_ctx.chain); i++)
 				{
 				x = sk_X509_value(xs_ctx.chain, i);
diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index 16fda5d8bf..361cd9c978 100644
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -753,6 +753,8 @@ int SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
 			sk_X509_NAME_push(stack,xn);
 		}
 
+	ERR_clear_error();
+
 	if (0)
 		{
 err:
-- 
2.25.1